Skip to content

Releases: SecNode/API-PENTESTER

v0.1.0

12 Mar 14:41
@AnishVarma-secnode AnishVarma-secnode
v0.1.0
fef618f

Choose a tag to compare

View all tags
v0.1.0 Latest
Latest

SecNode API - v0.1.0 Release Notes

Release Date: March 2026
Repository: SecNode/API-PENTESTER
License: Apache 2.0

Overview

We're excited to ship the first public release of SecNode API, an autonomous, AI-augmented black-box API penetration testing framework. SecNode API ingests OpenAPI/Swagger schemas and runs a full adversarial assessment pipeline: schema analysis, AI-driven test generation, async execution, AI validation, deduplication, and structured reporting, all without writing a single one-off test script.

This release establishes the core architecture, the autonomous agent mode, the microservices runtime foundation, and a full CI/CD pipeline.

What's in v0.1.0

Core Pipeline

  • Schema ingestion - Fetches and normalizes local or remote OpenAPI/Swagger schemas (JSON and YAML) into a structured internal representation via schema_fetcher.
  • AI understanding stage - Uses an LLM to analyze business context, trust boundaries, and high-risk flows before generating tests.
  • Multi-stage specialized AI test generation - Generates 30-50 targeted adversarial test cases per category across four parallel tracks:
    • Identity & Access Control (BOLA, BFLA, IDOR)
    • Data Integrity & Injection (SQLi, NoSQLi, mass assignment)
    • Infrastructure & SSRF (SSRF, misconfigurations, info leaks)
    • Business Logic & State (race conditions, workflow bypasses)
  • Async test execution - Concurrent HTTP execution via httpx with configurable concurrency, retry logic, and optional proxy routing.
  • AI validation + deterministic validators - A two-tier validation system: deterministic pattern matchers for high-confidence classes (BOLA, BFLA, mass assignment, rate limiting) followed by an LLM-based triage stage with confidence bucketing into confirmed and suspected findings.
  • AI deduplication - Clusters findings sharing the same root cause and retains the highest-severity representative.
  • Structured reporting - Produces report.md (human-readable with CVSS severity badges, evidence snippets, and remediation) and findings.json (machine-readable) per scan run.

Autonomous Agent Mode

  • Plan -> Execute -> Observe -> Validate -> Replan loop with configurable iteration and request budget limits.
  • Adaptive concurrency - Dynamically scales worker concurrency based on observed failure rate.
  • Per-endpoint budgeting - Prevents overloading individual endpoints during autonomous runs.
  • Stateful chain tests - Extracts object IDs from responses to generate follow-up BOLA chain tests and mass assignment escalations automatically.

Active Reconnaissance

  • Active recon stage in the pipeline probes for undocumented "shadow" endpoints using path mutations (version swaps, extension fuzzing, admin/debug suffixes), method probing, hidden parameter fuzzing, and ID injection.
  • AI recon analysis - Discovered shadow endpoints are passed to a dedicated LLM analyzer to generate targeted exploitation tests.

Microservices Runtime (Foundation)

  • FastAPI control plane (secnodeapi-server) with session lifecycle endpoints: POST /sessions, POST /sessions/{id}/run, GET /sessions/{id}.
  • Controller service with planner, skill engine, memory subsystem, attack graph, and reporting integrated end-to-end.
  • Skill engine with a ranked skill registry, precondition filtering, and auth-state gating. Default skills: api_path_fuzz, template_vuln_scan, sqli_probe, active_spider_scan, route_inventory, auth_diff_scan.
  • Four specialized worker types - recon, discovery, fuzzing, exploit - each backed by a tool adapter (ffuf, nuclei, sqlmap, ZAP, kiterunner).
  • Replanning loop - PlannerService iterates up to a configurable cap, enriching context from findings (injection params, high-confidence signals) before selecting the next skill batch.
  • Attack graph engine - Tracks skill execution edges, computes multi-step attack chains via DFS, and scores paths by depth and confidence.
  • Memory subsystem - Session state, attack history, and skill metrics stores with both in-memory and PostgreSQL backends.
  • Redis queue adapter and Postgres execution store for production-grade deployments.
  • Docker Compose local stack - make up brings up the API gateway, Redis, Postgres, and four worker containers.

Multi-Provider LLM Support

Provider selection is via the SECNODE_LLM environment variable using LiteLLM routing:

Provider Model string prefix Key variable
OpenAI openai/ OPENAI_API_KEY
Anthropic anthropic/ ANTHROPIC_API_KEY
Nebius nebius/ NEBIUS_API_KEY
Ollama (local) ollama/ (none required)

CLI

# Schema inspection only
secnodeapi --target ./openapi.yaml --schema-only

# Generate tests without executing (dry run)
secnodeapi --target https://api.example.com/swagger.json --dry-run --dry-run-output ./results/tests.json

# Full autonomous agent scan with auth
secnodeapi --target https://api.example.com/swagger.json \
  --auth-header "Authorization: Bearer <token>" \
  --mode agent --request-budget 500 --max-iterations 6

# Greybox mode with multiple identity sets
secnodeapi --target https://api.example.com/swagger.json \
  --instruction "token=admin_jwt, username=admin, role=superuser" \
  --instruction "token=user_jwt, username=user"

# Proxy routing (e.g. Burp Suite)
secnodeapi --target https://api.example.com/swagger.json \
  --proxy http://127.0.0.1:8080 --insecure

# Microservices runtime
secnodeapi --target https://api.example.com/swagger.json --mode microservices

Differential Identity Testing

  • --identities-file accepts a JSON file of named identity header sets for differential authorization testing across multiple roles.
  • --instruction accepts comma-separated key=value pairs to pass greybox credentials and variables into AI prompt context and identity resolution.

Benchmarking Harness

  • benchmarks/ directory with five calibration scenarios covering BOLA, SQL injection, hidden endpoint discovery, mass assignment, and privilege escalation via auth differential.
  • Precision/recall/F1 scorer and JSON metrics writer for ongoing calibration tracking.

CI/CD

GitHub Actions workflow on every pull request runs:

  1. Lint (ruff)
  2. Test suite with coverage threshold enforcement
  3. Contract schema compatibility tests
  4. Benchmark smoke tests
  5. Package build (uv build)
  6. Dependency vulnerability audit (pip-audit)
  7. SecNode scan job template against staging targets
  8. Container vulnerability scan via Trivy (CRITICAL/HIGH, OS + library)

Installation

# Recommended: uv
uv sync --extra dev

# pip
python -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt && pip install -e .[dev]

Requires Python 3.10+.

Known Limitations

  • Greybox --mode greybox with --scenario file support is scaffolded but not yet implemented in this release.
  • GraphQL discovery module (discovery/graphql.py) and JS endpoint scraper (discovery/js_scraper.py) are implemented but not yet wired into the main pipeline.
  • Tool adapters (ffuf, nuclei, sqlmap, ZAP, kiterunner) invoke real binaries; those tools must be separately installed for the microservices runtime to execute them.
  • The pipeline does not yet resolve $ref schemas for complex nested request body generation.

What's Next

Something special is coming for the bug bounty/vulnerability disclosure community🔥

Security and Responsible Use

SecNode API is a security research and testing tool. Only run it against systems you own or have explicit written authorization to test. See SECURITY.md and CODE_OF_CONDUCT.md.

Contributing

See CONTRIBUTING.md for setup instructions, PR guidelines, and code style expectations.

Assets 2
Loading